We have the tree configuration at the moment - and all we were really
interested in is the stuff coming in off our local internet connection, and
stuff coming in from our WAN connections to other global offices, who have
their own internet connections, and network staff with the savvy of boiled
potatoes....
We've set it up as has been suggested and are already reaping the rewards :)
Thank you all so much for the quick replies - it's been most helpful...
Bry
> -----Original Message-----
> From: Mayers, Philip J [mailto:p.mayers at ...1913...]
> Sent: 21 September 2001 16:27
> To: Bryan Childs; 'Erek Adams'
> Cc: 'snort-users at lists.sourceforge.net'
> Subject: RE: [Snort-users] Configuring Cisco switches...
>>> Without knowing your network topology requirements, that's
> impossible to
> answer. Generally speaking, you can only mirror what passes
> through the
> switch - which means that if the switch sits between you and
> the outside
> world in a tree configuration (trunk==connection to internet,
> branches==connections into site) then you'll only see traffic
> crossing your
> routing boundary.
>> However, if your layout is a star (connection to internet==one arm,
> connections to site==other arms) then all cross-site (e.g. from one
> building/distributor to another) traffic can also be mirrored
> - but then
> you're not seeing intra-building/distributor traffic...
>> At that point, you have to ask yourself - by introducing a large
> single-point-of-failure (the star centre) into the network, just to be
> paranoid about seeing your internal traffic, haven't you just
> gone over the
> top? Balance your business need against "cost", and if you
> really need to
> see intra-distributor traffic, use a distributed snort system
> logging into a
> central database with one snort box per chokepoint.
>> Regards,
> Phil
>> +------------------------------------------+
> | Phil Mayers |
> | Network & Infrastructure Group |
> | Information & Communication Technologies |
> | Imperial College |
> +------------------------------------------+
>> -----Original Message-----
> From: Bryan Childs [mailto:bryan.childs at ...3120...]
> Sent: 21 September 2001 15:21
> To: 'Erek Adams'
> Cc: 'snort-users at lists.sourceforge.net'
> Subject: RE: [Snort-users] Configuring Cisco switches...
>>> Ok - after talking to my net admin chappy - he has another
> question, and I
> quote :
>> "it would be better to ask of the best way to set up an
> ethernet network to
> optimise your chances of capturing information whilst maintaining high
> performance switched networks"
>> and he said to ignore any smart arses that suggested going
> back to using
> hubs :)
>> Well ?
>> Anyone got any good advice on this...
>> On the face of it - turning on the port mirroring on the
> switch sounds like
> it will do the job - but will anything suffer noticeably
> after we've done
> it? (Apart from the snort box, we're expecting that!)
>> Bry
>>> > -----Original Message-----
> > From: Erek Adams [mailto:erek at ...577...]
> > Sent: 21 September 2001 15:15
> > To: Bryan Childs
> > Cc: 'snort-users at lists.sourceforge.net'
> > Subject: Re: [Snort-users] Configuring Cisco switches...
> >
> >
> > On Fri, 21 Sep 2001, Bryan Childs wrote:
> >
> > > Hi everyone - this question has probably been done to
> > death, but my google
> > > searching for answers has amounted to nought - so I'm going
> > to have to ask
> > > it again I'm afraid!
> >
> > It's Ok, we'll just give you lashes with a wet noodle. ;-)
> >
> > > The network here in my building is of course suffering from
> > the recent Nimda
> > > virus/worm breakout, and we're trying to track infected
> > boxes with snort.
> > >
> > > The entire network here is running on switched ethernet,
> > which is giving us
> > > a bit of a headache. Most of the switches are dumb 3Com
> > supplied ones, but
> > > we've been sensible enough (we think) to plug out snort box
> > into the Cisco
> > > one which sits at the top of the network.
> > >
> > > The trouble is that we *still* don't seem to be able to
> > monitor attacks
> > > which don't directly go for the snort box itself.
> > >
> > > The card is set up in promiscuous mode as it should be -
> > but we think we
> > > need to do something to the switch to make sure it sees ALL
> > our internal
> > > network traffic.
> > >
> > > Does anyone know what we might have missed? Or have any
> > suggestions at all?
> >
> > Yeppers...
> >
> > http://snort.sourcefire.com/docs/faq.html#1.8> >
> > Now, your Cisco _should_ be able to do that. If you don't
> > know talk with your
> > local netoworking geek. Bribe him with some wire ties or
> something...
> >
> > > Cheers amigos......
> >
> > Oh, you're bringing the beer? Great! Bring some Shinerbock. :)
> >
> > -----
> > Erek Adams
> > Nifty-Type-Guy
> > TheAdamsFamily.Net
> >
>>> ********
>> Mercator - find out more at http://www.mercator.com>> The information in this email is confidential and is intended
> solely for the
> addressee(s). Access to this email by anyone else is
> unauthorised. If you
> are not an intended recipient, you must not read, use or
> disseminate the
> information contained in the email.
> Any views expressed in this message are those of the
> individual sender,
> except where the sender specifically states them to be the
> views of Mercator
> Software Ltd.
> Email to and from Mercator may be monitored.
>> ********
>>>> _______________________________________________
> Snort-users mailing list
>Snort-users at lists.sourceforge.net> Go to this URL to change user options or unsubscribe:
>https://lists.sourceforge.net/lists/listinfo/snort-users> Snort-users list archive:
>http://www.geocrawler.com/redir-sf.php3?list=snort-users>